During the past twelve months, the number of recorded ransomware attacks against healthcare organizations – particularly small and medium sized practices – has increased significantly. Security experts believe the increase in recorded ransomware attacks is attributable to healthcare organizations being more vulnerable during the COVID-19 pandemic as well as cybercriminals stepping up their attacks on the healthcare sector.
Large healthcare organizations, while certainly valuable targets for cybercriminals, are not the easiest targets to attack due to the considerable resources they invest in cybersecurity. Infiltrating the networks of larger organizations can prove complicated and time consuming; whereas small- and medium-sized practices do not have the same amount of money to invest in cybersecurity, but they still hold significant amounts of sensitive data.
Along with less investment in physical cybersecurity, smaller practices have in the past been guilty of neglecting staff HIPAA training due to HHS´ enforcement actions being focused on larger organizations. It may also be the case small- and medium-sized practices do not consider themselves attractive targets for cybercriminals, therefore neglect security and training, which makes them an easier target for cybercriminals.
Cyberattacks on Small- & Medium-Sized Healthcare Practices Increasing
A recently published report by the CTI League highlighted the main emerging threats in the healthcare sector. In the last quarter of 2020, experts discovered a significant rise in cyberattacks on the healthcare industry. The report stated: “From October to December, the CTI League observed a dramatic uptick in focused attacks against healthcare entities, particularly small- and medium-sized hospitals and clinics, which impacted clinical workflows at hundreds of healthcare providers.”
Ransomware response company Coveware also produced data (see graph below) which demonstrates the extent to which attacks are conducted on small- and medium-sized healthcare organizations. Coveware recently reported:
- Nearly 70% of ransomware attacks were targeted on healthcare organizations with fewer than 1,000 employees.
- During Q4 2020, 65.9% of these attacks were on small (30.2%) and medium (35.7%) sized practices.
- While Ryuk and Sodinokibi ransomware attacks focus on large enterprises, the Dharma, Snitch, and Netwalker ransomware campaigns focused firmly on small- to medium-sized practices.
What Steps Can Small- & Medium Sized Healthcare Practices Take to Stop Cyberattacks?
Identifying the correct types of cybersecurity measures to implement in order to stop cyber threat actors from infiltrating your network is not a straightforward task. It is often better to start with a range of small changes which will enhance your security posture and build out from there. Here we have listed some measures you can implement to tackle phishing, RDP compromises, ransomware attacks, and to train the workforce how to recognize and avoid threats:
- Multi-factor authentication: Multi-factor authentication is an important cybersecurity measure that acts as a failsafe in case credentials are compromised. If credentials are stolen in a phishing attack or are otherwise compromised, access to an account will be blocked unless a second authentication factor is provided. Microsoft reports that MFA will block more than 99.9% of attacks on accounts.
- Phishing: Phishing is a leading cause of healthcare data breaches. Phishing emails are used to steal credentials and distribute malware and ransomware. You should implement a password policy that requires strong passwords for all accounts and 2-factor/multi-factor authentication should be implemented on all email accounts. The workforce must be trained how to recognize phishing emails. Also consider conducting phishing simulation exercises to reinforce training and to test the effectiveness of the training program. Employees who fail phishing simulations can be provided with further training.
- RDP compromise: Disable Internet-facing RDP if possible. If not possible, do not allow direct connections over the Internet. Encore a VPN is used. Enforce the use of strong passwords and configure multi-factor authentication. Disallow external connections to local machines on port 3389 and other RDP ports at the perimeter firewall.
- Vulnerability management: Vulnerabilities and threats to ePHI must be managed and reduced to an acceptable level. It is therefore essential to keep on top of patching and software updates. Vulnerabilities in software and operating systems are often exploited to gain access to healthcare networks. Patching should be prioritized, with the most serious vulnerabilities addressed first. If patches cannot be implemented, workarounds and other mitigations should be implemented. Legacy systems that cannot be patched should be isolated and never exposed to the Internet.
- Data encryption: Encryption of data at rest and in transit is an addressable requirement of the HIPAA Security Rule. Encryption should be implemented unless an alternative measure can be implemented that provides an equivalent level of protection. Encryption should be used on all portable electronic devices, but also consider encrypting data on the network. In the event of a ransomware or malware infection, or a network compromise, ePHI will be protected.
- Network segmentation: You should assume that your perimeter defenses will be breached. You should therefore segment your network to ensure that access cannot be gained to all systems. Network segmentation involves separating the network into different subnets, with each acting as its own small network. This can greatly reduce the severity of a cyberattack.
- Security awareness training: Conduct employee security awareness training to educate your workforce about cyber threats and train them how to identify them. Security awareness training needs to be conducted regularly. A once-a-year training session is no longer adequate. Regular training sessions should be provided. This will help to develop a security culture.
Small- to medium-sized healthcare practices are a prime target for hackers and phishing and ransomware attacks are rife. It may not be possible to invest heavily in cybersecurity measures, but by starting with the basics and implementing cybersecurity best practices, it is possible to significantly improve cybersecurity defenses and make it much harder for cyber threat actors to gain a foothold in the network and steal sensitive data.
The increase in targeted attacks on the healthcare industry, especially on small- and medium-sized healthcare organizations, has made it more important than ever to ensure adequate security measures are in place and employees receive adequate training to help them identify and avoid cyber threats.